[Snort-sigs] RE: Signature Database

James Ashton James at ...2424...
Wed Apr 28 07:47:10 EDT 2004

 This is not about the quality of the work you do. The snort.org sig base has nothing but improved during your tenure as "sig nazi". Everyone knows that the sigs in the signature files on snort.org are the best sig for the situation that thy cover. This is about the needs of a few of us who are in a situation where we value your sigs but need something to at least HELP with detecting stuff that has just been released. I am not going to release a file to be automaticaly added like people add your rule files. but I do think that there is a need for someone to offer a group of rules that has less moderation and, while definatly not the rule quality you provide, gets there fast enough to take SOME of the load off the overworked techs that are dealing with outbreaks of new stuff.  No one is going to mistake a sig they got of my site for somehting that came from snort.org... and once you add a sig that covers the same vulnerability they will certainly remove the sig they got from here... but in the meantime   something is better than nothing.

James Ashton

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net on behalf of Brian
Sent: Tue 4/27/2004 10:13 PM
To: Matthew Jonkman
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: Signature Database
On Tue, Apr 27, 2004 at 04:37:14PM -0500, Matthew Jonkman wrote:
> What I think we need is a combination of a moderator tested release of
> realtime rules, and a controlled feedback mechanism. Someone submits a
> sig. That sig goes into a moderator que, (not to the members of the
> list), the moderator looks it over for functionality, tests it where
> necessary. If the sig is functional and doesn't hit a ton of false
> positives they approve it. The sig gets dropped into the realtime
> rules set and an email goes out to those interested in knowing about
> it.  Making that set cvs available would facilitate most of this
> process, just adding a web frontend to take the submissions would be
> the only thing to code really.

You mean, just like we have now, except with more than me at the helm?

Perhaps you forgot what it was like before I took over as the "rules
nazi".  No, I did not come up with that term, Marty did.

For those of you that have started using snort since then, let me
refresh your memory.

There was an online mechanism for submitting rules.  There were multiple
people that could say "Sure, this looks alright to me."  It got added.
The ruleset were available for download instantly.  (Well, sorta.  It
was complicated.)  It was even on snort.org.

The reason I got involved with the snort project was because the ruleset
sucked.  Sure, there were a ton of rules.  Sure, lots of people worked
very hard on them.  Don't forget the problems though.

There was no documentation.  There was no testing.  There were no
references.  There were no handling of duplicates.

In short, there was no quality.  

Why do you want to go back to that?  A ton of people have worked VERY
hard to make sure Snort's ruleset of the utmost quality.  I am not the
only one, I've just been the biggest contributor.


This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list